CVE-2026-49278
Deferred Deferred - Pending Action

Information Disclosure in Rocket.Chat

Vulnerability report for CVE-2026-49278, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It looks like there's no use case for the token to be present in the response and it would be a good security practice to remove it altogether. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rocket.chat rocket.chat to 8.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Rocket.Chat installation to one of the fixed versions: 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, or 7.10.12.

This will ensure that the token is no longer returned in the visitors.info endpoint response, removing the security risk.

Detection Guidance

This vulnerability involves the exposure of a token in the response from the visitors.info endpoint in Rocket.Chat versions prior to the fixed releases.

To detect this vulnerability on your system or network, you can attempt to query the visitors.info endpoint and inspect the response for the presence of a token.

A possible command to test this using curl would be:

  • curl -k -H "Authorization: Bearer <valid_token>" https://<rocket.chat-server>/api/v1/visitors.info?visitorId=<visitor_id>

If the response contains a token field, the system is vulnerable. If the token is absent, the system is likely patched.

Compliance Impact

The vulnerability exposes a Bearer token and sensitive visitor information without proper authorization, which can lead to unauthorized access to confidential data.

Such unauthorized disclosure of sensitive information can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to ensure confidentiality and integrity.

The issue is due to improper authorization (CWE-285), indicating a failure to enforce access controls, a key requirement in these standards.

Fixing this vulnerability by removing the token from the response and enforcing proper authorization helps maintain compliance with these regulations.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive tokens through the visitors.info endpoint. Since the token is returned in the response without a valid use case, it could be exploited by attackers to gain unauthorized access or escalate privileges, potentially compromising confidentiality, integrity, and availability of the system.

Executive Summary

This vulnerability exists in Rocket.Chat versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12. It involves the visitors.info endpoint returning a token in its response, which appears to have no legitimate use case. The presence of this token in the response is considered a security risk, and the vulnerability was fixed by removing the token from the response in the specified versions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49278. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart